My final Chair’s Column should be one waxing eloquently about the highlights of this year. Unfortunately, or fortunately for you, my final column is going to be more about inside baseball of the ABA than visionary. Because of the efforts that the Section is making to communicate with policymakers in D.C. and elsewhere, several people have raised the question as to what positions the ABA Health Law Section is authorized to take in those communications. In light of those questions, I thought it useful at this point in healthcare reform to outline the limits on the Health Law Section regarding the espousal of any particular position with government policymakers.

On July 14 the U.S. Department of Health and Human Services published a Notice of Proposed Rule Making for proposed regulations modifying the HIPAA privacy, security and enforcement rules (“NPRM”). Probably the most important single change to the HIPAA rules proposed in the NPRM is the expansion of Business Associate status to every entity which touches PHI, except on a “random and infrequent” basis, to perform a function or activity directly or indirectly “with respect to” a Covered Entity. This expanded status follows logically from HITECH’s expansion of jurisdiction to regulate PHI privacy and security to Business Associates, but is likely to come as a shock to many previously unregulated entities.

The proposed rule set forth in the Notice of Proposed Rulemaking released by the U.S. Department of Health & Human Services (HHS) applies Security Rule provisions directly to business associates, a term which has been expanded to include subcontractors who create or use protected health information (PHI) while performing services for a business associate. The proposed rule implements the provisions of the Health Information Technology for Clinical Health (HITECH) Act that require business associates to directly comply with the Security Rule.

On July 14, 2010, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services published a Notice of Proposed Rulemaking (the “Proposed Rule”) to (a) implement the health information privacy and security related amendments of the HITECH Act and (b) make certain other modifications to the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and the Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”). Several aspects of the Proposed Rule are addressed in this edition of eSource; this article provides practical advice regarding implementation of its business associate (“BA”) agreement provisions.

The Office for Civil Rights (OCR) is responsible for issuing annual guidance to organizations under the HIPAA Security Rule, including, most recently, the administrative, physical and technical safeguarding of electronic protected health information (e-PHI). On May 7, 2010, the OCR released its draft guidance on risk analysis (Guidance) which will be updated following implementation of the final HITECH regulations. If you have played the strategic board game Risk®, then you will appreciate the OCR’s Guidance. If you have not played the game of Risk®, then this article is for you.

Did you know your membership in the ABA Health Law Section qualifies you for free membership in up to three interest groups of your choice? Interest groups, which are comprised of twelve practices areas within health law, make significant contributions to the Section's programming, publications and legislative initiatives. The interest groups also provide an excellent opportunity for you to interact with and have access to some of the most outstanding lawyers in the legal community. You can enroll on our webpage by clicking here. If you have any questions or need more information, please contact Simeon Carson at Simeon.Carson@americanbar.org.

The eHealth, Privacy & Security Interest Group focuses on cutting edge issues dealing with technology and privacy as they relate to healthcare. Substantive topics of interest to committee members include health information privacy and security, electronic communications, electronic transactions and telehealth. The Interest Group will seek to encourage discussion and debate on emerging legal issues in these areas.